Active Directory

Contents

Restoring deleted items

Sometimes, an Active Directory account, such as a user account or even an entire OU, is accidentally—or on occasion, maliciously—deleted. Rather than re-create the deleted item or items, you can restore the items. Deleted items are retained within the AD DS database for a period of time specified as the tombstone lifetime. You can recover a deleted item without having to restore the item from a backup of Active Directory as long as the item was deleted within the Tombstone Lifetime window.

The default tombstone lifetime for an Active Directory environment at the Windows Server 2008 forest functional level or higher is 180 days. You can check the value of the tombstone lifetime by issuing the following command from an elevated command prompt (substituting dc=Contoso,dc=Internal for the suffix of your organization’s forest root domain):

f0201-01.jpg

Click to view larger image

For most organizations, the 180-day default is fine, but some administrators might want to increase or decrease this value to give them a greater or lesser window for easily restoring deleted items. You can change the default tombstone lifetime by performing the following steps:

  1. From an elevated command prompt or PowerShell session, type ADSIEdit.msc.

  2. From the Action menu, click Connect To. In the Connection Settings dialog, click Configuration, as shown in Figure 4-25, and then click OK.

    Figure 4.25

    Figure 4-25 Connection settings

  3. Right-click the CN=Services, CN=Windows NT, CN=Directory Service node and click Properties.

  4. In the list of attributes, select tombstoneLifetime, as shown in Figure 4-26, and click Edit.

    Figure 4.26

    Figure 4-26 Tombstone lifetime

  5. On the Integer Attribute Editor dialog, enter the new value for the tombstone lifetime and click OK twice.

  6. Close the ADSI Edit console.

Active Directory Recycle Bin

Active Directory Recycle Bin allows you to restore items that have been deleted from Active Directory but are still present within the database because the tombstone lifetime has not been exceeded. Active Directory Recycle Bin requires that the domain functional level be set to Windows Server 2008 R2 or higher.

INSIDE OUT

Enable AD Recycle Bin first

You can’t use the Active Directory Recycle Bin to restore items that were deleted before you enabled Active Directory Recycle Bin.

Once activated, you can’t deactivate the Active Directory Recycle Bin. There isn’t any great reason to want to deactivate AD Recycle Bin once it’s activated. You don’t have to use it to restore deleted items if you still prefer to go through the authoritative restore process.

To activate the Active Directory Recycle Bin, perform the following steps:

  1. Open the Active Directory Administrative Center and select the domain that you want to enable.

  2. In the Tasks pane, click Enable Recycle Bin, as shown in Figure 4-27.

    Figure 4.27

    Figure 4-27 Enable Recycle Bin

After you’ve enabled the AD Recycle Bin, you can restore an object from the newly available Deleted Objects container. This is, of course, assuming that the object was deleted after the Recycle Bin was enabled and assuming that the tombstone lifetime value has not been exceeded. To recover the object, select the object in the Deleted Items container and then click Restore or Restore To. Figure 4-28 shows a deleted item being selected, which can then be restored to its original location. The Restore To option allows you to restore the object to another available location, such as another OU.

Figure 4.28

Figure 4-28 Deleted Objects container

Authoritative restore

An authoritative restore is performed when you want the items you are recovering to overwrite items that are in the current Active Directory database. If you don’t perform an authoritative restore, Active Directory assumes that the restored data is simply out of date and overwrites it when it’s synchronized from another domain controller. If you perform a normal Restore on an item that was backed up last Tuesday, when it was deleted the following Thursday, the item is deleted the next time the Active Directory database is synchronized. You do not need to perform an authoritative restore if you only have one domain controller in your organization because there is no other domain controller that can overwrite the changes.

An authoritative restore is useful in the following scenarios:

  • You haven’t enabled Active Directory Recycle Bin.

  • You have enabled Active Directory Recycle Bin, but the object you want to restore was deleted before you enabled Active Directory Recycle Bin.

  • You need to restore items that are older than the tombstone lifetime of the AD DS database.

To perform an authoritative restore, you need to reboot a DC into Directory Services Restore Mode. If you want to restore an item that’s older than the tombstone lifetime of the AD DS database, you also need to restore the AD DS database. You can do this by restoring the system state data on the server. You’ll likely need to take the DC temporarily off the network to perform this operation, because if you restore a computer with old system state data and the DC synchronizes, all the data that you want to recover will be deleted when the domain controller synchronizes.

You can configure a server to boot into Directory Services Restore Mode from the System Configuration utility. To do this, select the Active Directory Repair option on the Boot tab as shown in Figure 4-29. After you’ve finished with Directory Services Restore Mode, use this same utility to restore normal boot functionality.

Figure 4.29

Figure 4-29 System Configuration

To enter Directory Services Restore Mode, you need to enter the Directory Services Restore Mode password.

To perform an authoritative restore, perform the following general steps:

  1. Choose a computer that functions as a global catalog server. This DC functions as your restore server.

  2. Locate the most recent system state backup that contains the objects that you want to restore.

  3. Restart the restore server in DSRM mode. Enter the DSRM password.

  4. Restore the system state data.

  5. Use the following command to restore items (where Mercury is the object name, Planets is the OU that it is contained in, and contoso.com is the host domain):

    f0206-01.jpg

  6. If an entire OU is deleted, you can use the Restore Subtree option. For example, if you deleted the Planets OU and all the accounts that it held in the contoso.com domain, you could use the following command to restore it and all the items it contained:

    f0206-02.jpg

    Click to view larger image

Active Directory snapshots

You can use the Active Directory database mounting tool, dsamain.exe, to mount the contents of the AD DS database as it exists in snapshots or in backups so that you can interact with it using the Active Directory Users and Computers console. This provides you with a quick way of checking the state of a snapshot or backup without actually having to restore it to a production or development environment. For example, you might do this if you want to check what the AD DS database looked like at a specific point in time to determine the state of particular accounts or organizational units.

If you restored the AD DS database file, ntds.dit, to the location c:\restore, you could mount this file using the dsamain.exe utility on port 51389 by entering the following command:

f0206-03.jpg

You can then use Active Directory Users And Computers to connect to the specified port, in this case, port 51389, to view the mounted version of the AD DS database.

You can also create snapshots of the AD DS database that you can interact with without having to make a backup. A snapshot is a copy of the AD DS database as it exists at a specific point in time. You create a snapshot of the AD DS database by running the following command from an elevated command prompt on a domain controller:

f0206-04.jpg

You can list all current snapshots of the AD DS database on a domain controller by running the following command:

f0206-05.jpg

Each snapshot has an odd number associated with it next to the date the snapshot was taken. To select and mount a snapshot, use the command:

f0206-06.jpg

This mounts snapshot 1. Make a note of the path on which the snapshot is mounted. You can then use the dsadmin.exe command to mount the snapshot so that it is accessible as an LDAP server. For example, to make the snapshot at path C:\$SNAP_201606100306_VOLUMEC$\ accessible on port 51389, use the command

f0207-01.jpg

Click to view larger image

You can then use Active Directory Users And Computers to connect to the specified port to view the mounted snapshot. Only members of the Domain Admins and Enterprise Admins groups can view snapshots. While you can’t directly copy objects from a snapshot to the production version of the AD DS database, you can use utilities such as CSVDE and LDIFDE to export information from a snapshot and then later import it into the production AD DS database.

Save to your account

This chapter is from the book